b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n            Office of the Secretary\n\n          Improvements Are Needed\n          for Effective Web Security\n                        Management\n\n                Final Report No. OIG-12-002-A\n                             October 21, 2011\n\n\n\n\n             FOR PUBLIC RELEASE\n\n\n\n\n                Office of Audit and Evaluation\n\x0c                                                        UNITED STATES DEPARTMENT OF COMMERCE\n                                                        Office of Inspector General\n                                                        Washington, D.C. 20230\n\n\n\n\nOctober 21,2011\n\nMEMORANDUM FOR:                Simon Szylanan, Chief Infonnation Officer\n\n\nFROM:                          Allen Crawley     .~ ~\n                               Assistant Inspector General for Systems Acquisi\n                               and IT Security\n\nSUBJECT:                       Improvements Are Needed For Effective\n                               Web Security Management\n                               Final Report No. OIG-12-002-A\n\nAttached is our final report for the audit of the Department's web applications security. Our audit\nobjective was to detennine whether the Department's web applications are properly secured to\nminimize the risk of cyber attacks. We reviewed the security of 15 public-facing web\napplications from eight operating units: BEA, BIS, Census, NIST, NOAA, NTIA, NTIS, and\nUSPTO.\nWe found that these web applications are not properly secured to minimize the risk of cyber\nattacks. The majority ofthese web applications have well-known website vulnerabilities,\nmisconfigured back-end databases, and outdated software that support them. Identified\nvulnerabilities resulted from inadequate software development practices, improper software\nconfiguration, and failure to install system updates in a timely manner.\nIn this final report, we have summarized the Department's response to our draft report and\nincluded the fonnal response as an appendix. We will post this report on the OIG website\npursuant to section 8L of the Inspector General Act of 1978, as amended.\nUnder Department Administrative Order 213-5, you have 60 calendar days from the date of this\nmemorandum to submit an audit action plan to us. The plan should outline the actions you\npropose to take to address each recommendation.\nWe appreciate the cooperation and courtesies extended to us by your staff as well as operating\nunits' staff during our audit. Please direct any inquiries regarding this report to me at (202) 482-\n1855 or Dr. Ping Sun, Director, IT Security, at (202) 482-6121, and refer to the report title in all\ncorrespondence.\nAttachment\ncc:    Dr. Steve Landefeld, Director, Bureau of Economic Analysis\n       Eric L. Hirschhorn, Under Secretary for Industry and Security\n       Dr. Robert M. Groves, Director, U.S. Census Bureau\n       Dr. Patrick Gallagher, Director, National Institute of Standards and Technology\n       Dr. Jane Lubchenco, Administrator, National Oceanic and Atmospheric Administration\n\x0cLawrence E. Strickling, Administrator, National Telecommunications and Information\n Administration\nBruce Borzino, Director of the National Technical Information Service\nDavid Kappos, Director of the u.S. Patent and Trademark Office\nEarl Neal, Director, Office of IT Security, Infrastructure and Technology\nSusan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                    Report In Brief\n                                            U.S. Department of Commerce Office of Inspector General\n                                                                    October 21, 2011\n\n\n\nWhy We Did This Review                      Improvements Are Needed for Effective Web Security\nThe Federal Information Security            Management (OIG-12-002-A)\nManagement Act of 2002 requires\nagencies to secure systems\nthrough the use of cost-effective\nmanagement, operational, and\ntechnical controls. In addition, the        What We Found\nDepartment\xe2\x80\x99s IT Security policy\nreinforces these requirements.          Our assessment identified significant vulnerabilities resulting from inadequate software develop-\nAccordingly, this report examines\n                                        ment practices, improper software configuration, and failure to install system updates in a timely\nwhether the Department\xe2\x80\x99s web ap-\nplications are properly secured to\n                                        manner. We found critical vulnerabilities in 12 of 15 (or 80 percent of) web applications we\nminimize the risk of cyber attacks.     reviewed. The majority of web applications have well-known website vulnerabilities, misconfig-\n                                        ured back-end databases, and outdated software that support them. Specifically, we found:\n                                        \xe2\x80\xa2    Websites vulnerable to known weaknesses, potentially allowing compromise of the data\n                                             stored on the application and users\xe2\x80\x99 computers;\n                                        \xe2\x80\xa2    Back-end databases not properly configured, potentially granting an attacker access to\nBackground                                   sensitive data; and\nIn recent years, the federal gov-       \xe2\x80\xa2    Web applications residing on unsecure software, increasing the risk of being compromised.\nernment and the Department in\nparticular have taken advantage         Combined, these security weaknesses put both web applications and users\xe2\x80\x99 computers at greater\nof Internet-based technologies to       risk of compromise, resulting in disruption of services or unauthorized disclosure of sensitive\nprovide a wide range of essential       information.\ninformation to the public. The\nInternet has become central to the\nDepartment\xe2\x80\x99s mission to promote\ngrowth and retool the economy\nfor sustained U.S. leadership in\nthe 21st century. As this trend con-        What We Recommended\ntinues, the Department inevitably\nfaces greater cybersecurity risks.      We recommend that the Department\xe2\x80\x99s Chief Information Officer work with operating unit senior\nCompromised websites could              management to:\naid intrusions into organizations\xe2\x80\x99\ninternal systems and networks.\n                                        \xe2\x80\xa2    Ensure that operating units take corrective action to mitigate vulnerabilities we found\nTherefore, it is essential to config-        during our vulnerability scan assessments;\nure and maintain web applications       \xe2\x80\xa2    Expand the Department\xe2\x80\x99s vulnerability scanning practice to include application-level as-\nproperly to protect the confidenti-          sessments, such as database and website scans; and\nality, integrity, and availability of\ninformation supporting the Depart-      \xe2\x80\xa2    Utilize security best practices for publicly accessible web applications, such as users\xe2\x80\x99 input\nment\xe2\x80\x99s mission.                              validation, to ensure that only legitimate information is accepted.\n\x0cU.S. Department of Commerce                                                                                                       Final Report\nOffice of Inspector General                                                                                                   October 21, 2011\n\n\n                                                                  Contents\n\n\nIntroduction ..................................................................................................................................... 1\xc2\xa0\nFindings and Recommendations ..................................................................................................... 3\xc2\xa0\n   I.\xc2\xa0       The Department\xe2\x80\x99s Web Applications Have Significant Security Weaknesses That Put\n             Them at Risk of Successful Cyber Attacks......................................................................... 3\xc2\xa0\n         A.\xc2\xa0 Websites Are Vulnerable to Known Weaknesses, Potentially Allowing Compromise of\n             the Data Stored on the Application and Users\xe2\x80\x99 Computers............................................... 3\xc2\xa0\n         B.\xc2\xa0 Back-End Databases Are Not Properly Configured, Potentially Granting an Attacker\n             Access to Sensitive Data ................................................................................................... 3\xc2\xa0\n         C.\xc2\xa0 Web Applications Reside on Unsecure Software, Increasing the Risk of Being\n             Compromised .................................................................................................................... 4\xc2\xa0\n   II.\xc2\xa0 Recommendations ............................................................................................................... 6\xc2\xa0\nSummary of Agency Comments and OIG Response...................................................................... 7\xc2\xa0\nAppendix A: Objective, Scope, and Methodology ......................................................................... 8\xc2\xa0\nAppendix B: Responses to OIG Draft Report .............................................................................. 10\xc2\xa0\n\x0cU.S. Department of Commerce                                                                Final Report\nOffice of Inspector General                                                            October 21, 2011\n\n\n                                            Introduction\nIn recent years, the federal government and the Department of Commerce in particular have\ntaken advantage of Internet-based technologies, such as web applications, to provide a wide\nrange of essential technical, economic, social, and environmental information to the public. In\naddition, the Internet has become central to the Department\xe2\x80\x99s mission to promote growth and\nretool the economy for sustained U.S. leadership in the 21st century. As this trend continues, the\nDepartment inevitably faces greater cybersecurity risks over the Internet\xe2\x80\x94where attacks on\ncommerce, vital business sectors, and government agencies have grown exponentially. Recently,\ntwo hacker groups have declared war on any government or agency website, attacking major\ngovernment sites such as those hosted by the U.S. Senate and the Central Intelligence Agency. 1\nPublic-facing web applications have additional security risks due to limited network boundary\nprotection. A typical web application consists of:\n\n    \xe2\x80\xa2   a website, which is the front-end interface for users to interact with the application via a\n        web browser;\n    \xe2\x80\xa2   a back-end database, which stores the application data; and\n    \xe2\x80\xa2   supporting server infrastructure, which hosts the website and database (see figure 1).\nCompromised websites could serve as an entry point for intrusions into organizations\xe2\x80\x99 internal\nsystems and networks. Therefore, it is essential to configure and maintain these applications\nproperly to protect the confidentiality, integrity, and availability of information supporting the\nDepartment\xe2\x80\x99s mission.\n               Figure 1. Major Components of a Typical Web Application\n\n\n\n\n                   Source: OIG\n\n\n\n1\n McCaney, K. June 20, 2011. LulzSec, Anonymous Declare War on Government Websites. Government Computer\nNews.\n\n\n                                                  1\n\x0cU.S. Department of Commerce                                                                       Final Report\nOffice of Inspector General                                                                   October 21, 2011\n\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires agencies to secure\nsystems through the use of cost-effective management, operational, and technical controls. The\ngoal is to provide adequate security commensurate with the risk and magnitude of the harm\nresulting from the unauthorized access, use, disclosure, disruption, modification, or destruction\nof information collected or maintained by or on behalf of an agency. In addition, the\nDepartment\xe2\x80\x99s IT Security policy reinforces these requirements. 2 Accordingly, the objective of\nthis performance audit is to determine whether the Department's web applications are properly\nsecured to minimize the risk of cyber attacks.\nWe assessed a targeted sample of 15 public-facing web applications selected from 8 operating\nunits (OUs) that support the Department\xe2\x80\x99s mission. Five of the selected applications generated\nannual revenue of over $245 million in fiscal year (FY) 2010 through online sales of goods,\nservices, and permits. The remaining 10 applications supported export control activities,\nfrequency spectrum management, satellite-aided search and rescue, and various mandatory\nbusiness surveys.\nUsing commercial software tools, we conducted comprehensive vulnerability assessments on the\nselected websites, back-end databases, and underlying server infrastructure to evaluate their\nsecurity posture. We tested those components externally from the Internet and internally from the\nOUs\xe2\x80\x99 networks for known security weaknesses. As a result, we found that these web applications\nare not properly secured to minimize the risk of cyber attacks. Our assessment identified\nsignificant vulnerabilities that resulted from inadequate software development practices,\nimproper software configuration, and failure to install system updates in a timely manner.\nWe have detailed the objective, scope, and methodology of our audit in Appendix A.\n\n\n\n\n2\n  The Department\xe2\x80\x99s Information Technology Security Program Policy (ITSPP) specifies the security controls\nrequired to be implemented on the Department\xe2\x80\x99s information systems as well as addressing FISMA requirements.\n\n\n                                                      2\n\x0cU.S. Department of Commerce                                                                           Final Report\nOffice of Inspector General                                                                       October 21, 2011\n\n\n                                   Findings and Recommendations\nI.    The Department\xe2\x80\x99s Web Applications Have Significant Security Weaknesses That Put\n      Them at Risk of Successful Cyber Attacks\nOur security assessment identified various vulnerabilities in all 15 web applications we\nreviewed. Particularly, we found critical vulnerabilities 3 in 12 of 15 (80 percent) web\napplications. The majority of web applications have well-known website vulnerabilities,\nmisconfigured back-end databases, and outdated software that support them. Combined security\nweaknesses can put both web applications and users\xe2\x80\x99 computers at a greater risk of compromise,\nresulting in disruption of services or unauthorized disclosure of sensitive information.\n     A. Websites Are Vulnerable to Known Weaknesses, Potentially Allowing Compromise of\n        the Data Stored on the Application and Users\xe2\x80\x99 Computers\nEleven of the 15 (73 percent) applications contained vulnerabilities known as cross-site scripting\n(XSS) and structured query language (SQL) injection. Often, web users are asked to submit\ninformation such as their name, address, or credit card numbers via forms (referred to as web\nforms) on the web application. XSS vulnerabilities can allow an attacker to inject malicious code\ninto a web application, by using the web forms, and then execute the malicious code on a user\xe2\x80\x99s\ncomputer when the user is tricked into accessing the vulnerable site. Affected applications can be\nused to launch attacks on users\xe2\x80\x99 computers\xe2\x80\x94causing, at a minimum, embarrassment and\ndiminishing public trust in the Department. Often such attacks can result in hackers gaining\ncredentials (username and password) to the web application itself, thus compromising the\nconfidentiality, integrity, and availability of the data residing on the application.\nSQL injection allows an attacker to bypass the security controls of the front-end website and\nextract, modify, or destroy the data by issuing direct commands to the back-end database via web\nforms. This type of critical security weakness seriously undermines the confidentiality, integrity,\nand availability of the data residing on the application, specifically on the back-end database. We\nfound that one web application, which collects credit card information, is vulnerable to SQL\ninjection.\nThese vulnerabilities exist because a user\xe2\x80\x99s input into a web form is not validated to eliminate\npotentially embedded malicious code before being accepted by a web application. Proper\nsoftware programming practices should be implemented while developing web applications to\nensure that users can submit only legitimate input via web forms.\n     B. Back-End Databases Are Not Properly Configured, Potentially Granting an Attacker\n        Access to Sensitive Data\nThe Department\xe2\x80\x99s security policy requires the use of passwords to support authentication for its\ninformation systems and applications. 4 In addition, the policy establishes the requirements for a\nstrong password such as the number and type of characters that users should employ.\n\n\n3\n  Critical vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\nremote execution of malicious commands.\n4\n  Commerce Interim Technical Requirements 009: Password Requirements\n\n\n                                                         3\n\x0cU.S. Department of Commerce                                                                       Final Report\nOffice of Inspector General                                                                   October 21, 2011\n\n\nSeven of the 15 (47 percent) applications assessed are not compliant with password\nrequirements. Specifically, back-end database accounts were configured to have no passwords\nfor authentication or weak passwords (such as common dictionary words or passwords that are\nthe same as user login name). We found three instances of accounts associated with the weak\npassword had database administrator privileges. This security flaw put data stored on those\ndatabases at a greater risk of unauthorized disclosure, alteration, or destruction. For example, one\nweb application supporting search and rescue operations had a weak password that allowed full\naccess to the sensitive data stored on the database. The integrity of this data is extremely\nimportant, and any unauthorized alteration or destruction could seriously undermine search and\nrescue activities, thus placing human life at risk.\nWe also discovered that 5 of the 15 (33 percent) web applications allow excessive access\nprivileges on back-end databases. Such excessive privileges can allow any user to obtain\nsensitive system information such as other users\xe2\x80\x99 passwords. These flaws, when combined with\nother identified vulnerabilities, can serve as leverage for further cyber attacks.\n    C. Web Applications Reside on Unsecure Software, Increasing the Risk of Being\n       Compromised\nThe Department\xe2\x80\x99s security policy, encompassing minimum security requirements for federal\nsystems and the National Institute of Standards and Technology Recommended Security\nControls for Federal Information Systems, requires by reference the identification, reporting, and\ncorrecting of software flaws that result in potential security vulnerabilities. 5 These requirements\nalso include the mandate that newly released security patches, service packs, and \xe2\x80\x9chot fixes\xe2\x80\x9d\nmust be promptly installed. Our assessment identified that 11 of 15 (73 percent) applications\nreside on unsecure operating systems, thus putting them at risk of being compromised.\nSpecifically, we found that operating systems, which host websites and back-end databases, are\nnot being updated in a timely manner. Because of that, these applications are subject to multiple\nsecurity flaws. In addition, three applications reside on operating systems that are no longer\nsupported by the manufacturers. This means that there are no security patches or updates\navailable, and the manufacturers are less likely to investigate and report new vulnerabilities.\nOperating systems are the foundation for web applications. When multiple security\nvulnerabilities coexist with outdated operating systems, the applications become more vulnerable\nto cyber attacks.\nTable 1 presents a summary of each OU\xe2\x80\x99s critical vulnerabilities discussed in this report. The\nidentified security weaknesses are primarily caused by inadequate software development\npractices, improper configuration of software products (particularly databases), and failure to\ninstall system updates in a timely manner.\nIn addition, vulnerability assessment activities within the Department do not consistently cover\nwebsites and databases. The Department\xe2\x80\x99s security policy requires OUs to conduct vulnerability\nscanning (automated detection of software flaws and malicious code in system components)\nquarterly or when significant new vulnerabilities potentially affecting the system are identified\n\n5\n Flaw remediation is required control SI-2 in National Institute of Standards and Technology, August 2009.\nRecommended Security Controls for Federal Information Systems, NIST Special Publication 800-53, Revision 3.\nGaithersburg, MD: NIST, D-7.\n\n\n                                                      4\n\x0cU.S. Department of Commerce                                                                                            Final Report\nOffice of Inspector General                                                                                        October 21, 2011\n\n\nand reported (for example, in a bulletin from a software manufacturer). However, beyond that\nrequirement, the policy includes no specification of the scope and methodology of those\nvulnerability assessments. We found that this has resulted in inconsistent practices of\nvulnerability scanning across the Department. For example, only eight of the 15 (53 percent)\napplications have their front-end websites and back-end databases scanned using an application-\nspecific scanning tool. Website scanning can identify critical application vulnerabilities such as\ncross-site scripting and SQL injection. Database scanning can check for inadequate security\nconfiguration settings on databases, such as weak passwords or excessive privileges. By\nexpanding scanning coverage on websites and databases using application-specific scanning\ntools, the OUs will be able to identify vulnerabilities on all components of web applications.\n\n                 Table 1. Identified Critical Vulnerabilities by Operating Unit\n                           Website                     Back-End Database                Server Operating System\n                           Vulnerabilities             Vulnerability                    Vulnerabilities\n                                         Cross-                      Excessive                           Unpatched/\n               OU          SQL           Site          Weak          Access             Unsupported      Outdated System\n                           Injection     Scripting     Passwords Privilege              OS               Software\n        BEA                     \xc2\xa0\xc2\xa0           X\xc2\xa0             X                X\n\n\n\n\n                                                                                                    \xc2\xa0\xc2\xa0\n        BIS                     \xc2\xa0\xc2\xa0            \xc2\xa0\xc2\xa0                                                                  \xc2\xa0\xc2\xa0\n\n        Census                  \xc2\xa0\xc2\xa0           X\xc2\xa0           N/A*             N/A*                X                  X\xc2\xa0\n\n        NIST                    \xc2\xa0\xc2\xa0           X\xc2\xa0                              X                                    X\xc2\xa0\n\n        NOAA/NESDIS             \xc2\xa0\xc2\xa0           X\xc2\xa0             X\xc2\xa0               X                 X\xc2\xa0                 X\xc2\xa0\n\n        NOAA/NMFS               \xc2\xa0\xc2\xa0            \xc2\xa0\xc2\xa0          N/A*             N/A*                                   \xc2\xa0\xc2\xa0\n\n        NOAA/NMFS              X\xc2\xa0            X\xc2\xa0             X                                                     X\xc2\xa0\n\n        NOAA/NOS                \xc2\xa0\xc2\xa0            \xc2\xa0\xc2\xa0          N/A*             N/A*                                   \xc2\xa0\xc2\xa0\n\n        NTIA                    \xc2\xa0\xc2\xa0           X\xc2\xa0                              X                                    X\xc2\xa0\n\n        NTIS                    \xc2\xa0\xc2\xa0           X\xc2\xa0             X                X                 X                  X\xc2\xa0\n\n        USPTO                   \xc2\xa0\xc2\xa0                                                             \xc2\xa0\xc2\xa0                 X\xc2\xa0\n\n        USPTO                                X\xc2\xa0             X                                                     X\xc2\xa0\n\n        USPTO                                X\xc2\xa0             X                                                     X\xc2\xa0\n\n        USPTO                                X\xc2\xa0                                                                   X\xc2\xa0\n\n                                             X\xc2\xa0             X                                                     X\xc2\xa0\n        USPTO\n        *\xc2\xa0Databases\xc2\xa0were\xc2\xa0not\xc2\xa0scanned\xc2\xa0due\xc2\xa0to\xc2\xa0the\xc2\xa0limited\xc2\xa0capability\xc2\xa0of\xc2\xa0vulnerability\xc2\xa0assessment\xc2\xa0software\xc2\xa0tools.\xc2\xa0\n        Source:\xc2\xa0OIG\xc2\xa0\n\n\n\nDuring our fieldwork, we shared our preliminary assessment results with OU staff, who are\ncurrently taking corrective actions to remediate the vulnerabilities identified. OUs remediated the\nmost critical issues, such as weak or no passwords on back-end databases, immediately after our\ndiscovery.\n\n\n\n\n                                                                  5\n\x0cU.S. Department of Commerce                                                               Final Report\nOffice of Inspector General                                                           October 21, 2011\n\n\nII.    Recommendations\nWe recommend that the Department\xe2\x80\x99s Chief Information Officer work with operating unit senior\nmanagement to:\n      1. Ensure that operating units take corrective action as necessary to mitigate vulnerabilities\n         we found during our vulnerability scan assessments;\n      2. Expand the Department\xe2\x80\x99s vulnerability scanning practice to include application-level\n         assessments, such as database and website scans; and\n      3. Utilize security best practices for publicly accessible web applications, such as users\xe2\x80\x99\n         input validation to ensure that only legitimate information is accepted, as recommended\n         by NIST Special Publication 800-44, Guidelines on Securing Public Web Servers Version\n         2 (September 2007).\n\n\n\n\n                                                   6\n\x0cU.S. Department of Commerce                                                             Final Report\nOffice of Inspector General                                                         October 21, 2011\n\n\n                     Summary of Agency Comments and OIG Response\nWe reviewed the Department\xe2\x80\x99s official response to our draft report dated September 21, 2011. In\nits response, the Department concurred with our findings and recommendations\xe2\x80\x94while noting\nits effort to increase its IT security posture in FY 2011, including a deployment of an enterprise-\nwide vulnerability management capability.\nThe Department also provided technical comments separately, which we addressed in the report\nwhere appropriate.\n\n\n\n\n                                                 7\n\x0cU.S. Department of Commerce                                                               Final Report\nOffice of Inspector General                                                           October 21, 2011\n\n\n                       Appendix A: Objective, Scope, and Methodology\nOur objective was to determine whether the Department's web applications are properly secured\nto minimize the risk of cyber attacks. This report describes key vulnerabilities that require senior\nmanagement\xe2\x80\x99s attention. In general, we do not detail our findings for the individual applications\nreviewed unless such is necessary for clarity.\nThe Department\xe2\x80\x99s Office of Chief Information Officer provided us with an inventory of over 800\nweb applications. Our assessment focused on a targeted sample of 15 web applications from the\nfollowing departmental operating units/subunits (See table I).\n              Table I. Applications Selected for Technical Assessment a\n\n                                                                      Number\n                    Operating Unit                                    of Web\n                                                                      Applications\n\n                    Bureau of Economic Analysis (BEA)                        1\n\n                    Bureau of Industry and Security (BIS)                    1\n\n                    U.S. Census Bureau (Census)                              1\n                    National Institute of Standards and Technology\n                                                                             1\n                    (NIST)\n\n                    National Oceanic and Atmospheric\n                    Administration (NOAA)\n\n                    National Environmental Satellite, Data, and\n                    Information Service (NESDIS)                             4\n\n                    National Marine Fisheries Service (NMFS)\n\n                    National Ocean Service (NOS)\n\n\n                    National Telecommunications and Information              1\n                    Administration (NTIA)\n\n\n                    National Technical Information Service (NTIS)            1\n\n\n                    U.S. Patent and Trademark Office (USPTO)                 5\n\n                    Source: OIG\n                    a\n                      For security purposes, OIG will not disclose specific details\n                    about the types of web applications assessed.\n\n\n\n\n                                                    8\n\x0cU.S. Department of Commerce                                                              Final Report\nOffice of Inspector General                                                          October 21, 2011\n\n\nWe selected these public-facing web applications based on their business functions, which\npotentially store or process sensitive, privacy or mission-critical data such as credit cards\nnumbers and business or personal information.\nUsing a combination of automated software tools and manual review, we performed internal\n(e.g., bypassing network boundary protection, such as firewalls) and external vulnerability\nassessments on 15 selected public facing web applications, focusing on their front-end website\ninterfaces, the back-end databases, and supporting servers. Due to the limited capability of\nvulnerability assessment software tools, we were not able to scan back-end databases associated\nwith three web applications. For two other web applications, we limited our scans to their test\nenvironment systems due to the concern that such activity can disrupt the service. We validated\nthat the test systems had very similar configurations to the production systems. We shared our\nassessment results with web application owners, and sought their feedback to validate identified\nvulnerabilities to eliminate false positives. We also interviewed operating unit staff as needed to\nassess the effectiveness of the Department\xe2\x80\x99s security practices.\nWe conducted our field work from January to August 2011 at Commerce headquarters, various\nfield offices, and contractor hosting facilities in the District of Columbia, Florida, Maryland, and\nVirginia.\nWe performed this audit under the authority of the Inspector General Act of 1978, as amended,\nand Department Organization Order 10-13, dated August 31, 2006. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions.\n\n\n\n\n                                                 9\n\x0cU.S. Department of Commerce                                                                                              Final Report\nOffice of Inspector General                                                                                          October 21, 2011\n\n\n                              Appendix B: Response to OIG Draft Report\n\n\n                                                                    UNITED STATES DEPARTMENT OF COMMERCE\n                                                                    Offal of the Chief InfOf'm.tion Office..\n                                                                    Washington. D.C. 20230\n\n                                                                           OCT 1 1 2011\n\n\n\n\n             MEMORANDUM FOR:                Allen Crawley\n                                            Assistant Inspector General for Systems Acquisition and\n                                            IT Security\n\n             THROUGH:                       Earl B. Neal     Z};;f;\xc2\xb7Ic......D\n                                            Director. Office of IT Security,\n                                            Infrastructure and Technology\n\n             FROM:                          Simon Szykman             ~ A. L\n                                            Chief Infannalion Officer  ... ~\n\n             SUBJECT:                        Department's Comments in Response to the FYll Draft Report\n                                            Improvements Are Needed/or Efficlive Web Security\n                                            Management.\n\n\n             This memorandum serves as the Dcpanmcnt's response to the Commerce (nspector General's\n             Draft FY 11 Report Improvements 'Ire Neededjor Ejfi!ctive Web Security Management.\n\n             The Department's Chief Information Officer (CIO) concurs with the findings and\n             recommendations outlined within this repon. The Department noles enhancements in ils IT\n             security posture in FY 11 including deployment of an enterprise wide vulnerability management\n             capability. WC appreciatc the cQllaborarivc effon by thc OIG that has rcsu\\[cd in rcmediating most of\n             the critical deficiencies identified in this report.\n\n             The Department looks tOl'\\Vard to receiving the Commerce Inspector General's final repon.\n\n             Please contact Tim Hurt, IT Security Compliance Officer, al (202) 482-4822, if you have any\n             questions.\n\n\n\n\n                                                               10\n\x0cU.S. Department of Commerce                                      Final Report\nOffice of Inspector General                                  October 21, 2011\n\n\n\n\n            cc:   Dr. Steve Landefeld, BEA\n                  Eric L. Hirschhorn, BIS\n                  Dr. Robert M. Groves, U.S. Census Bureau\n                  Dr. Patrick Gallagher, NIST\n                  Dr. Jane Lubchenco, NOAA\n                  Lawrence E. Strickling, NTIA\n                  Bruce Borzino, NTIS\n                  David Kappos, PTa\n\n\n\n\n(1200000-117)\n\n\n\n\n                                                     11\n\x0c"